1. Field of the Invention
The present invention concerns communication systems that exchange data via wired or wireless links, using modems at different communicating locations. In particular, the invention concerns a method and apparatus for providing communication security for data exchange between modems engaged in point-to-point or point-to-multipoint communications in bidirectional or unidirectional modes. The invention in particularly adapted to provide secure communications in a mobile environment where any of a variety of modulation and encoding techniques, and encryption algorithms, may be used.
2. Description of the Related Art
Conventional communications over wired and wireless links, including satellite links, are provided at high speeds with the use of a variety of modulation and encoding techniques. However, such communications are subject to intrusion and detection of their content. Broadcasts over the air, even at high speeds, can easily be detected with conventional reception equipment, and even communications over wire can be inductively detected in well known ways. Ordinarily, the data being transmitted, which may be voice, video or data, may contain sensitive information that the originators wish to have protected against unauthorized access. In order to protect the information, encryption techniques are known to be used. Currently, encryption may be provided using commercial encryption standards, such as those that rely upon the standard AES algorithms, including the current AES-128 standard techniques. Implementation of such techniques requires the establishment of a “key” at each of the communicating locations and the exchange of such keys in a secure manner so that only authorized access to the transmitted data can be assured. Data is encrypted using the key and, typically, decrypted using the same key, though different keys may be used as is known in the art. Key generation and exchange must be effectively implemented. Moreover, in order to enhance security, the key must be changed periodically, requiring a rollover of the keys in order to protect against intrusion and attack on the security of the system. Well-known ways to-perform key exchange and authentication include those based on Diffie-Hellman, elliptical curve cryptography and RSA. As part of the key generation and exchange process, the modems must be authenticated.
However, the encryption process adds additional overhead to the transmission, thereby rendering the communication less efficient and incurring higher costs. Moreover, in an environment which is subject to link outages, such as wireless mobile communications or satellite communications, interruption of the communication requires reestablishment of the encryption parameters between communicating modems, which may involve additional inefficiencies. Where an outage is experienced and bit errors and data loss occurs, resynchronization requires manual procedures or automated techniques that require a significant amount of time to detect loss of crypto sync, exchange messages and re-initialize the crypto states. Further, global time synchronization may be required to serve as seeds in encryption operations or to help in synchronizing changes in keys.
In a conventional system, communication includes both data carried over a user channel as well as overhead information carried on a separate overhead channel. This is true for both bidirectional and one-way links as well as fixed and mobile networks. Transmissions may be in burst or continuous form. Typically, the overhead and data information are multiplexed and transmitted in encrypted form using the encryption algorithm. However, the communication of encryption information is conducted out of band. In addition, there is a need for external key management, including key generation, distribution and rollover.
The complexity of a system having multiple modems is increased where all communications among the modems must be encrypted. Moreover, when encryption keys are to be exchanged, on a session basis, added inefficiencies will arise.
Further, since encryption information is sent out of band on a separate channel, this information remains vulnerable to attack since its communication is not itself encrypted.
Accordingly, there is a need to have a secure modem design that is effective in providing communications security for data exchanged between two modems, involves low overhead, and uses standard algorithms, but nonetheless, is robust against bit errors and link outages, particularly in mobile and wireless applications. Further, there is a need to provide a system using secure modems that provides mutual identification and authentication, as well as automated, over the air dynamic encryption key generation, exchange and rollover.